You need to hear this.

Researchers in Israel have developed a way to bypass a Windows PC's password protection and install malware by using the machine's Cortana capabilities. They plugged a USB with a network adapter into a computer in Sleep mode, then verbally instructed Cortana to launch the browser and go to an unsecured website. The network adapter then intercepted the web session and sent the computer to a malicious site instead, where malware downloads to the computer.

Although the risk only exists if actors have physical access to a device, it shows that there are certain security concerns over voice assistants without accurate voice recognition.

"We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it," said Amichai Shulman, one of the researchers who made the discovery.

1.7 Tbps DDoS breaks record, just 5 days after 1.3 Tbps GitHub attack

Peter (Spiceworks) writes:

In the last couple of weeks, we've seen two massive, record-breaking DDoS attacks. On Feb. 28, there was the largest-ever-at-the-time 1.3 Terabit per second attack launched on GitHub. Now, there are reports of an even bigger 1.7 Terabit per second attack was launched just 5 days later.

News of this latest record breaking attack comes from NETSCOUT Arbor, who proclaimed, "The Terabit attack era is upon us."

"Today, NETSCOUT Arbor can confirm a 1.7Tbps reflection/amplification attack targeted at a customer of a U.S. based Service Provider has been recorded by our ATLAS global traffic and DDoS threat data system," NETSCOUT writes. "The attack was based on the same memcached reflection/amplification attack vector that made up the Github attack. It’s a testament to the defense capabilities that this Service Provider had in place to defend against an attack of this nature that no outages were reported because of this."

The memcached attack method is likely to gain significant popularity among bad actors, and IT departments are advised incoming and outgoing UDP traffic.

Facebook to direct users to HTTPS versions of target links

Facebook announced March 5 it will not automatically direct visitors to HTTPS-secured versions of target links, if one is available. The company is using a feature known as HTTP Strict Transport Security (HSTS) preloading, and Facebook says it is rolling HSTS out across Facebook and Instagram.

"We continue to encourage people to check the URL in the address bar to see if the link is supported by HTTPS," Jon Millican, software engineer at Facebook, told eWEEK. "But we understand that many people still use browsers that don't support HSTS, and so we're working to ensure that their first connection to supported websites is secure."

One of the challenges sites face when implementing HSTS is that not all sites support HTTPS and not all browsers support HSTS headers. eWEEK reports that Facebook's HSTS preloading solves these problems by maintaining a list of sites that support HTTPS best practices and redirects users to these links.

But there's more going on in the world than that.

Washington becomes first U.S. state to pass law upholding net neutrality

Peter (Spiceworks) writes:

Following the repeal of the net neutrality policy by the Federal Communications Commission (which takes effect on Apr. 23, 2018), many states vowed to push back against the actions of the U.S. federal agency.

New York, New Jersey, and Montana recently enacted policies that require ISPs supporting government agencies to adhere to net neutrality. On March 5, Washington became the first U.S. state to pass and sign a law protecting net neutrality throughout the state.

"The law, signed on Monday by Gov. Jay Inslee, prohibits internet service providers from blocking or slowing down web content," CNET writes. "The law comes about three months after the FCC voted to dismantle rules that ensured all traffic on the internet is treated equally and prevented broadband and wireless providers from blocking or slowing online content."

About the passing of House Bill 2282, Governor Inslee had this to say: "Today we make history: Washington will be the first state in the nation to preserve the open internet ... We’ve seen the power of an open internet. It allows a student in Washington to connect with researchers all around the world — or a small business to compete in the global marketplace. It’s allowed the free flow of information and ideas in one of the greatest demonstrations of free speech in our history."

And you can't not know this.

Google tests 72-qubit computer

Google says its researchers are testing a quantum computer with 72 quantum bits, or qubits, which would be a massive leap from the company's existing nun-qubit chip. According to Google physicist Julian Kelly, the team seeks to use the larger chip to achieve "quantum supremacy" for the first time.

"Achieving quantum supremacy requires a computer of more than 50 qubits, but scientists are still struggling to control so many finicky quantum entities at once," Science News writes. "Unlike standard bits that take on a value of 0 or 1, a qubit can be 0, 1 or a mashup of the two, thanks to a quantum quirk known as superposition."

The new chip has been dubbed Bristlecone because of the pinecone-shaped qubit arrangement. The chip is now being put through rigorous testing, but the researchers say they are very optimistic. One researcher told Science News that a quantum supremacy demonstration could come in just a few months.

48 Replies

I'm not sure that I'm buying the Cortana hack. Especially because the attack requires physical access. As has been observed a multitude of times on this (and other) websites, if you don't CONTROL physical access to your devices, you DON'T truly control your device! (or some such wording)

And I'm glad to see that State governments are taking the lead when the Federal government agencies are seriously derelict in enforcing their duties TO their citizens! Hope to see more States jump onto this bandwagon.

You could (potentially) do this to a user in a coffeshop or common workspace, or to a salesperson or other visitor leaving you unattended for a few bits with their machine (imagine this for corp. espionage for example by setting up a "sales" meeting and dropping something on the lappy to take back to the home network.) I think the "next level" danger here is that you can do this without any trace (as for example a reboot into a live ISO/thumdrive would, and takes a bit longer as you need the reboot and the re-reboot)

So I agree (we all agree) that physical security is huge but this just lowered the barrier for what can be done with even a few brief moments of physical access.This makes it absolutely essential to turn off Cortana for road warriors or anyone where there machine is subject to any (however brief) access to public/passerby traffic.

Suppose a hacker posts a YouTube video with commands to Cortana? That would not require physical access. Or uses a low power FM transmitter to send such commands to all radios playing in the vicinity, chances are some of which will be near computers?

I think what's been revealed here is more in the nature of the tip of an iceberg in voice command security.

This person is a verified professional.

Google says its researchers are testing a quantum computer with 72 quantum bits, or qubits, which would be a massive leap from the company's existing nun-qubit chip. According to Google physicist Julian Kelly, the team seeks to use the larger chip to achieve "quantum supremacy" for the first time.

"Quantum supremacy" involves
performing a calculation that is impossible with traditional computers. The only thing I know of that is truly impossible for traditional computers is working for normal users.